The intrusions that defined Salt Typhoon weren’t just about breaking into routers. They were about controlling what the network believes is true.
When a sophisticated adversary targets carrier infrastructure, the most powerful capability they can acquire isn’t a shell on a device — it’s influence over the routing control plane. Because if you can change where traffic thinks it’s going, you don’t need to compromise every hop along the way. You just need to redraw the map.
The Border Gateway Protocol — BGP — is that map. It’s the system by which the internet’s autonomous networks agree on how to reach each other. And it was designed for trust, not adversarial environments.
Earlier posts in this series covered how Salt Typhoon exploited SSH behavioral anomalies, web management interfaces, and authentication infrastructure to move through carrier networks. Those techniques required persistent footholds — credentials, sessions, access. BGP manipulation is different. At the routing layer, the attack surface is the protocol itself.
The question is: what does that look like in the metadata? And can you see it without being inside the router? The answer is yes.
How BGP Becomes a Weapon
BGP operates on announcements. Autonomous systems — the discrete routing domains that make up the internet’s backbone — broadcast which IP prefixes they can reach and how to get there. Every carrier, cloud provider, and major enterprise has an Autonomous System Number (ASN), and BGP is what ties them together.
The protocol has no built-in mechanism to verify that an AS actually owns the prefixes it’s advertising. That gap is the attack surface.
Nation-state actors have exploited this in three primary ways:
- Prefix hijacking: An adversary AS announces IP prefixes it doesn’t legitimately own, pulling traffic away from the rightful origin toward attacker-controlled infrastructure.
- Next-hop redirection: The BGP-advertised forwarding address for a route is substituted with an adversary-controlled router, inserting a silent relay into the traffic path without altering the apparent routing topology.
- Route leaks and deliberate injection: Routes are re-advertised to peers in violation of established peering policy, either accidentally through misconfiguration or deliberately to misdirect traffic through attacker-controlled paths.
What makes these techniques particularly effective for intelligence collection is that they can be transient. A BGP hijack that lasts minutes — long enough to intercept a session establishment or a certificate exchange — may never appear in a SIEM alert. Logs don’t capture routing events at the control plane. And the victim’s traffic often returns to normal routing afterward, leaving no obvious forensic trace.
Mapping Before Moving: The Routing Reconnaissance Phase
Before a BGP manipulation event, there’s typically a reconnaissance phase — and it’s visible in the metadata, too.
Nation-state actors targeting carrier infrastructure don’t manipulate routing blindly. They build a picture of the AS-level topology first: which ASes peer with which, what prefixes route where, and where the traffic concentrations are. BGP flow metadata at carrier scale is a live map of this topology — every observed AS relationship, every peering pair, every routing path.
For defenders, that same metadata is a behavioral baseline. Any deviation from it is a signal. A new AS relationship that appears without a corresponding business or peering agreement. A prefix being announced by an origin AS that has never touched it before. A next-hop IP that doesn’t belong to the expected peer.
The FCC recognized this attack surface explicitly in its 2022 Secure Internet Routing Notice of Inquiry, identifying prefix hijacking, route leaks, and next-hop manipulation as the three primary inter-domain routing threats facing U.S. carrier infrastructure. A 2024 follow-on Order extended that framework by introducing BGP incident reporting requirements for broadband providers. What neither action could specify was how to detect these threats at scale — in real time, across a carrier’s full AS topology, without adding instrumentation to every router.
The Interception: When Next-Hop Becomes Adversary-Controlled
The most operationally significant BGP technique in the nation-state playbook isn’t a full prefix hijack. It’s next-hop redirection. And it’s designed to be invisible.
A BGP next-hop manipulation inserts an adversary-controlled router into the forwarding path without changing the apparent routing topology visible to participants. Traffic flows normally from the sender’s perspective. The receiver gets its packets. Only the path has changed — and the new hop is collecting everything in transit.
This technique has been documented in nation-state operations targeting telecom backbone peers, and it is consistent with Salt Typhoon’s broader posture of positioning for passive collection within carrier infrastructure — minimizing footprint while maximizing access. The actors don’t need to break encryption. Session metadata, traffic volume patterns, timing correlations, and certificate exchanges are valuable intelligence even from encrypted flows.
The detection signal is behavioral: the BGP-advertised forwarding address for a given peering relationship deviates from every historically observed value for that peer. That deviation is unambiguous — legitimate routing changes are rare and typically correspond to known infrastructure events. An unexpected next-hop IP belonging to foreign or unallocated address space, appearing against a domestic peering session, is a Tier 1 collection indicator.
Critically, that signal doesn’t require access to router logs or BGP table snapshots. It’s observable in flow-level metadata, in real time, for every BGP session traversing the sensor.
Distinguishing Misconfiguration from Malicious Intent
One of the harder problems in BGP threat hunting is distinguishing deliberate manipulation from the accidental route leaks that occur constantly across the global routing table. Misconfigurations are common. QratorLabs documented over 3,000 unique leaking ASes in a single quarter in 2024 alone.
The differentiator is correlation. An accidental route leak typically affects one or two metadata relationships at a time — the originating AS starts advertising to the wrong peer, but the rest of its behavior is consistent with its established baseline. Deliberate route injection is different: the source AS, the destination being advertised, and the next-hop forwarding address all deviate simultaneously from established baselines.
Three fields. Three simultaneous deviations. The probability of all three occurring by accident is extremely low. That trifecta is the signature of intent.
This is where behavioral baselining at scale changes the detection calculus. A rolling baseline of AS peering relationships — who advertises what, to whom, via which next-hop — turns that three-field correlation into an automated detection signal rather than a manual investigation.
It also enables a detection capability that’s entirely absent from endpoint-centric security stacks: the ability to see your own prefixes being hijacked. If your own AS number appears as a destination in flows originating from an unexpected or foreign source AS, your address space may be actively advertised by an adversary. That’s a compliance trigger under FCC routing security guidance — and it’s only detectable from passive observation of the routing control plane.
Why Traditional Security Tools Miss This Entirely
BGP operates at the inter-domain routing layer — between networks, not inside them. The security tooling that most organizations and even many carriers have deployed is oriented inward: endpoint detection, SIEM correlation of internal logs, perimeter firewall events. None of those surfaces sees what happens at the BGP control plane.
Router syslog can capture BGP events, but only if you have access to every BGP-speaking router in the topology, the telemetry pipeline to aggregate those logs at scale, and the detection logic to identify anomalies against a behavioral baseline. At carrier scale, that’s not a solvable problem with traditional log aggregation.
The alternative is passive observation of the network itself — capturing BGP session metadata at wire rate from the traffic traversing the carrier’s infrastructure, without depending on router-sourced telemetry. This approach scales with traffic volume rather than with device count, and it doesn’t require administrative access to the routing infrastructure being monitored.
For defense and intelligence agencies operating in environments where adversary access to routing infrastructure is a known risk — as Salt Typhoon’s documented reach into U.S. carrier networks demonstrates — the independence from router-sourced telemetry isn’t just convenient. It’s architecturally necessary.
NetworkLens - BGP Dataset
NetQuest NetworkLens captures BGP session metadata at wire rate up to 1.6 Tbps across carrier AS topologies, without sampling and without dependency on router-sourced telemetry.
BGP flow records expose the AS relationships, origin announcements, and forwarding addresses that make prefix hijacking, next-hop redirection, and route leak detection possible at hyperscale. Every BGP flow record is exported in real time via IPFIX or Kafka, structured for direct ingestion into AI/ML threat hunting pipelines and analytics platforms.
Detection signals surfaced by NetworkLens BGP data include:
- ▸ New or unexpected AS origin for established destination prefixes
- ▸ Next-hop IP deviations from established peer AS allocations
- ▸ AS peering pairs outside established routing policy baselines
- ▸ Triple-field correlation signatures distinguishing injection from misconfiguration
- ▸ Own-prefix hijack detection via foreign-origin AS flows
The Wire Sees What the Logs Miss
Salt Typhoon’s presence in U.S. carrier infrastructure wasn’t discovered through endpoint alerts or firewall logs. It was discovered through the kind of network-level visibility that most security programs treat as secondary — or skip entirely.
The routing control plane is where large-scale passive collection becomes possible. It’s also where the earliest detection signals appear — before a credential is stolen, before a session is intercepted, before the attacker has accomplished anything except changing the map.
BGP metadata isn’t exotic telemetry. It’s the record of how your network — and the networks adjacent to yours — actually behaves at the routing layer. The question is whether you’re observing it.